CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14114
https://notcve.org/view.php?id=CVE-2020-14114
information leakage vulnerability exists in the Xiaomi SmartHome APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information. Se presenta una vulnerabilidad de filtrado de información en la APP Xiaomi SmartHome. Esta vulnerabilidad es causada por las llamadas ilegales de algunas interfaces JS confidenciales, que pueden ser explotadas por los atacantes para filtrar información confidencial • https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=277 •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-11063 – SmartHome application has a broken access control vulnerability in its Web API Server
https://notcve.org/view.php?id=CVE-2019-11063
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Una vulnerabilidad de control de acceso interrumpida en la aplicación SmartHome (versiones de Android hasta 3.0.42_190515, versiones de iOS hasta 2.0.22) permite a un atacante dentro de la misma red de área local enumerar cuentas de usuario y controlar dispositivos IoT que conectan con su puerta de enlace (HG100) por medio de http://[target]/smarthome/devicecontrol sin ninguna autenticación. CVSS 3.0 Puntuación Base 10 (Impactos de Confidencialidad, Integridad y Disponibilidad). • http://surl.twcert.org.tw/5LWQJ https://github.com/tim124058/ASUS-SmartHome-Exploit https://tvn.twcert.org.tw/taiwanvn/TVN-201908014 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2017-2704
https://notcve.org/view.php?id=CVE-2017-2704
Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder(EMUI6.0) 9.3.0.310 and earlier versions,HwPhoneFinder(EMUI5.1) 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions have an information exposure vulnerability. Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys, causing information exposure. Smarthome 1.0.2.364 y versiones anteriores, HiAPP 7.3.0.303 y anteriores, HwParentControl 2.0.0 y anteriores, HwParentControlParent 5.1.0.12 y anteriores, Crowdtest 1.5.3 y anteriores, HiWallet 8.0.0.301 y anteriores, Huawei Pay 8.0.0.300 y anteriores, Skytone 8.1.2.300 y anteriores, HwCloudDrive(EMUI6.0) 8.0.0.307 y anteriores, HwPhoneFinder(EMUI6.0) 9.3.0.310 y anteriores, HwPhoneFinder(EMUI5.1) 9.2.2.303 y anteriores, HiCinema 8.0.2.300 y anteriores, HuaweiWear 21.0.0.360 y anteriores y HiHealthApp 3.0.3.300 y anteriores tienen una vulnerabilidad de divulgación de información. Las claves de cifrado están almacenadas en el sistema. • http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •